diff options
-rw-r--r-- | ANNOUNCE | 4 | ||||
-rw-r--r-- | CHANGES | 4 | ||||
-rw-r--r-- | pngpread.c | 5 |
3 files changed, 12 insertions, 1 deletions
@@ -41,6 +41,10 @@ Version 1.6.23rc01 [June 2, 2016] Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch. Added missing ")" in pngerror.c (Matt Sarrett). +Version 1.6.23rc02 [June 3, 2016] + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement @@ -5589,6 +5589,10 @@ Version 1.6.23rc01 [June 2, 2016] Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch. Added missing ")" in pngerror.c (Matt Sarrett). +Version 1.6.23rc02 [June 3, 2016] + Fixed undefined behavior in png_push_save_buffer(). Do not call + memcpy() with a null source, even if count is zero (Leon Scroggins III). + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/pngpread.c b/pngpread.c index 2e0208813..557153366 100644 --- a/pngpread.c +++ b/pngpread.c @@ -501,7 +501,10 @@ png_push_save_buffer(png_structrp png_ptr) png_error(png_ptr, "Insufficient memory for save_buffer"); } - memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + if (old_buffer) + memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + else if (png_ptr->save_buffer_size) + png_error(png_ptr, "save_buffer error"); png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max; } |